Product: [Fourelle|Venturi Wireless] Venturi Client
(all versions prior to 2.2)
Brief Description: Acts as an open proxy for protocols
including SMTP.
Description: Venturi Client is a multi-protocol proxy
that operates in conjunction with a proprietary
transcoding server. It inserts itself into the
networking stack in order to transparently intercept
network requests. In versions prior to 2.2 remote
machines are able to proxy just about anything through
the system. Although it can be used for more, the only
wild attack I have detected was by a spammer looking to
make an open SMTP relay. (Several hundred thousand
spams were sent in the two hours it took to detect and
disconnect the compromised machine.)
Recommended actions:
1] Uninstall the product. Removing the front end GUI
from the startup menu is not sufficient.
2] Upgrade from v2.1 to 2.2 using the now released
patch:
http://www.venturiwireless.com/tech_support/Q_and_A/Q_A_09.htm
3] Use a firewall to prevent outside connections to
machine.
Distributed by: Verizon Wireless as part of their
Mobile Office package. The company also claim
partnership with Motorola, Sierra Wireless, Telus, Bell
Mobility, CommWorks (3Com) and DDI Pocket. I believe
that enterprises can also purchase this product directly.
Company Reaction: Venturi Wireless knew of this flaw
and had an unpublished patch as of my initial contact
on the 12th of May. It is unclear how long they have
known about it. They claimed it had not been found to
be used in the wild. We negotiated that they would
publicly release information by the 16th in return for
a couple days to write up a notice. They have now
posted the patch, with no details, at
http://www.venturiwireless.com/tech_support/Q_and_A/Q_A_09.htm
There is as of yet no link on their site to this page,
and I suspect it will be buried when there is. Given
the severity of this vulnerability I am posting this to
some appropriate newsgroups and bugtraq.
Josh Steinhurst
Department of Computer Science
University of North Carolina at Chapel Hill